{ "id": "e978a232-de22-44c6-9e03-79fb1aac6b86", "created_at": "2026-04-06T00:21:58.233618Z", "updated_at": "2026-04-10T13:11:31.799564Z", "deleted_at": null, "sha1_hash": "b8c707f425a4774e6834913ecfdfb8936273699f", "title": "Volatile Cedar – Analysis of a Global Cyber Espionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48888, "plain_text": "Volatile Cedar – Analysis of a Global Cyber Espionage Campaign\r\nBy bferrite\r\nPublished: 2015-03-31 · Archived: 2026-04-05 15:56:07 UTC\r\nToday, we announced the discovery of Volatile Cedar, a persistent attacker group originating possibly in Lebanon\r\nwith political ties.\r\nBeginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting\r\nindividuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has\r\nsuccessfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made\r\nmalware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and\r\nthe Explosive malware.\r\nMalware attribution is often tricky and deception-prone. With that in mind, investigation of the evidence leads us\r\nto suspect Volatile Cedar originates from Lebanon (hence its nickname). Moreover, the Volatile Cedar target\r\nvertical distribution strongly aligns with nation-state/political-group interests, eliminating the possibility of\r\nfinancially motivated attackers.\r\nWe have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical\r\naspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully\r\noperational throughout this entire timeline, evading detection by the majority of AV products. This success is due\r\nto a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly\r\nresponds to detection incidents.\r\nVolatile Cedar is heavily based on a custom-made remote access Trojan named Explosive, which is implanted\r\nwithin its targets and then used to harvest information. Tracking down these infections was quite a difficult task\r\ndue to the multiple concealment measures taken by the attackers. The attackers select only a handful of targets to\r\navoid unnecessary exposure. New and custom versions are developed, compiled and deployed specifically for\r\ncertain targets, and ”radio silence” periods are configured and embedded specifically into each targeted implant.\r\nThe modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and\r\nmanual vulnerability discovery. Once in control of a server, the attackers further penetrate the targeted internal\r\nnetwork via various means, including manual online hacking as well as an automated USB infection mechanism.\r\nIn our report, we discuss the attack vectors and infection techniques used by the attack campaign as well as\r\nprovide indicators that can be used to detect and remove the infection. We’ve provided some more basic\r\ninformation below.\r\nFor in-depth information, please view our media alert and technical report.\r\nWe would like to acknowledge the following people for their contribution to the research efforts leading to this\r\nreport: Lead researcher Yaniv Balmas, Irena Damsky, Maya Horowitz, Assaf Krintza, Michael Shalyt, Shahar Tal,\r\nhttps://blog.checkpoint.com/2015/03/31/volatilecedar/\r\nPage 1 of 3\n\nRon Davidson and Rachel Teitz.\r\nVolatile Cedar – The Facts\r\nWhat is Volatile Cedar?\r\nVolatile Cedar is an APT malware campaign first detected and investigated by Check Point.\r\nWho are the attackers behind Volatile Cedar?\r\nWe have seen evidence which suggests the attacker group is based in Lebanon. Victim geography and verticals\r\nmay indicate the interests of a government/political group.\r\nWho was attacked?\r\nAmong the confirmed targets, we identified defense contractor firms, telecommunications and media companies,\r\nand educational institutions. We confirmed live infections in approximately 10 different countries, including the\r\nUSA, Canada, UK, Turkey, Lebanon and Israel.\r\nWhat technical measures are used in the Volatile Cedar campaign?\r\nThe attacker’s main tool is a custom malware implant codenamed ‘Explosive’ (named by the attackers).\r\nAdditionally, we have found traces of common hacking tools such as vulnerability scanners, web shells and public\r\nexploit code.\r\nWhy is it named Volatile Cedar?\r\nVolatile is a synonym for explosive, and the cedar is Lebanon’s national emblem.\r\nHow long has Volatile Cedar been operational?\r\nWe have seen evidence of activity starting in early 2012, and it is still ongoing as of this writing.\r\nWhat is Check Point doing to mitigate this threat?\r\nCheck Point has deployed software protections to all its customers against the technical indicators of this attack.\r\nAdditionally, we are publishing a report which describes and examines the security risks involved.\r\nHas Volatile Cedar been detected before?\r\nEarlier versions of the Explosive implant have been heuristically classified as malicious by multiple AV products.\r\nEach detection has almost immediately been followed by the removal of the compromised tool and the creation of\r\na new, undetected, version. This is further proof of the group’s relatively high operational level.\r\nWhere did Check Point first detect Volatile Cedar?\r\nCheck Point detected the Explosive malware on a web server in a customer network.\r\nWhat abilities does Explosive have?\r\nhttps://blog.checkpoint.com/2015/03/31/volatilecedar/\r\nPage 2 of 3\n\nThe implant has both passive collection methods and on-demand capabilities. Once installed, the tool\r\ncontinuously runs a keylogger and a clipboard logger, which transmit the results to the C\u0026C server. In addition,\r\nExplosive has a wide array of options that can be activated by a C\u0026C command, including a variety of data theft\r\nand machine fingerprinting capabilities, stealth and self-destruction functions, proliferation options and a remote\r\nshell.\r\nFinally, the creators of Explosive went to great lengths to assure operational stealth to protect against exposure,\r\nincluding memory usage monitoring, process listing etc.\r\nCan Explosive cause damage?\r\nThe main threat is sensitive data theft and cyber espionage. The implant has built-in file deletion functionality as\r\nwell as arbitrary code execution, making it possible for the attackers to inflict a lot of damage on an infected\r\nsystem.\r\nHow can I remove the Explosive malware?\r\nThe Check Point technical report indicates which elements to remove to mitigate the live malware infection. Note:\r\nAs in any malware infection, the attackers may have obtained credentials or other methods of accessing to your\r\nnetwork, which requires additional means of protection.\r\nI have significant information about the campaign or its victims. Who do I contact?\r\nWe have opened the volatilecedar@checkpoint.com mailbox for information sharing purposes.\r\nSource: https://blog.checkpoint.com/2015/03/31/volatilecedar/\r\nhttps://blog.checkpoint.com/2015/03/31/volatilecedar/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/2015/03/31/volatilecedar/" ], "report_names": [ "volatilecedar" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434918, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8c707f425a4774e6834913ecfdfb8936273699f.pdf", "text": "https://archive.orkl.eu/b8c707f425a4774e6834913ecfdfb8936273699f.txt", "img": "https://archive.orkl.eu/b8c707f425a4774e6834913ecfdfb8936273699f.jpg" } }